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Abstract 

The notion of a universally utility-maximizing privacy mechanism was recently introduced 
by Ghosh, Roughgardcn, and Sundararajan [STOC 2009]. These are mechanisms that guaran- 
tee optimal utility to a large class of information consumers, simultaneously, while preserving 
Differential Privacy [Dwork, McShcrry, Nissim, and Smith, TCC 2006]. Ghosh et al. have 
demonstrated, quite surprisingly, a case where such a universally-optimal differentially-private 
mechanisms exists, when the information consumers are Baycsian. This result was recently 
extended by Gupte and Sundararajan [PODS 2010] to risk-averse consumers. 

Both positive results deal with mechanisms (approximately) computing a single count query 
(i.e., the number of individuals satisfying a specific property in a given population), and the 
starting point of our work is a trial at extending these results to similar settings, such as sum 
queries with non-binary individual values, histograms, and two (or more) count queries. We 
show, however, that universally-optimal mechanisms do not exist for all these queries, both for 
Baycsian and risk-averse consumers. 

For the Baycsian case, we go further, and give a characterization of those functions that 
admit universally-optimal mechanisms, showing that a universally-optimal mechanism exists, 
essentially, only for a (single) count query. At the heart of our proof is a representation of a 
query function / by its privacy constraint graph G / whose edges correspond to values resulting 
by applying / to neighboring databases. 
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1 Introduction 



Differential Privacy [6] is a rigorous notion of privacy that allows learning global ('holistic') in- 
formation about a collection of individuals while preserving each individual's information private. 
The literature of differential privacy is now rich in techniques for constructing differentially privacy 
mechanisms, including some generic techniques such as the addition of Laplace noise with mag- 
nitude calibrated to global sensitivity [6], addition of instance based noise calibrated to smooth 
sensitivity [13], and the exponential mechanism [12]. These and other techniques allow performing 
a wide scope of analyses in a differentially private manner, including conducting surveys over sen- 
sitive information, computing statistics, datamining, and sanitization. The reader is referred to [3] 
for a recent survey. 

An immediate consequence of differential privacy is that (unless computing a constant function) 
a mechanism cannot compute a deterministic function. In other words, a differentially private 
version of an analysis would be a randomized approximation to the analysis, and furthermore, it 
would generally be possible to choose from a host of implementations for a task (e.g., the three 
generic techniques mentioned about may result with different mechanisms). Naturally, the designer 
of the analysis should choose one that is useful. Usefulness, however, depends on how the outcome 
of the analysis would be used, i.e., on the preferences of its consumer, that we henceforth refer 
to as an information consumer. Such a trade-off between uncertainty and utility, while taking 
consumer's preferences into account, is the subject of rational-choice theory and decision theory, 
as noted in pfTO], 

We discuss the two models of utility which were previously discussed in [9j [10]. In both, the 
information consumer has side information (her own world- view or previous knowledge), and a 
loss-function which quantifies the consumer's preferences and the quality of the solution for her 
problem. Intuitively, it describes how bad is a deviation from the exact answer for the consumer, 
a measure of her intolerance towards the inaccuracy imposed by differentially private mechanisms. 
Finally, the models assume that the consumers are rational - they combine the structure of the 
mechanism, their side information and their personal loss-function (preferences) with the goal of 
minimizing their loss, or, equivalently maximizing their utility. The two models differ in the way 
side information is formulated and respectively how utility function is defined. Subject to the 
requirements of differential privacy, one usually has a choice from a collection of implementations. 
As discussed in decision-theory and assuming rational information consumers, each consumer will 
choose a mechanism which maximizes her utility. This is an optimal mechanism for this consumer. 

Information consumers' accuracy requirements vary: for some consumers only an exact answer 
would be of value, whereas others may aim at minimizing the estimate bias {l\ error), or its 
variance (£2 error), and, clearly, many other criteria exist. It seems that a discussion of the utility 
of differentially private mechanisms should take this rich variety into account. The recent work of 
Ghosh, Roughgarden, and Sundararajan [9] has put forward a serious attempt at doing exactly that 
with respect to (oblivious) Bayesian information consumers. In this utility model, the consumer's 
side information is described as an a priori distribution on the exact result of the analysis. The 
recent work of Gupte and Sundararajan [10] considers a related model where the information 
consumers are risk-averse. Here, the information consumer's knowledge is a set of possible values the 
exact analysis can take, and an optimal mechanism minimizes the consumer's worst-case expected 
loss. 

Composition theorems for differential privacy only guarantee that the degradation in privacy 
is not more than exponential in the number invocations. Hence, while different consumers may 



1 



exhibit different optimal mechanisms, a very important goal is to avoid invoking that multiplicity of 
mechanisms. This degradation is part of the motivation for the work on sanitization where a family 
of queries are answered at once [51 H E] , the work on privacy under continual observation [3], and 
the construction of the Median Mechanism [14] . A surprising result of Ghosh, Roughdarden, and 
Sundararajan [9] is that invoking a multiplicity of optimal mechanisms may not be necessary. They 
consider a database that is a collection of Binary inputs (e.g., pertaining to having some disease) 
and Bayesian information consumers that wish to count the number of one entries in the database 
(equivalently, compute the sum of the entries). They show the existence of a single mechanism that 
enables optimality for all Bayesian information consumers (the mechanism needs to be invoked 
only once). The mechanism itself is not optimal for all Bayesian information consumers, however, 
each consumer can perform a deterministic remapping on the outcome of the common mechanism, 
where the remapping is chosen according to her notion of utility, and locally output a result that is 
effectively according to one of her optimal mechanism. Such a common mechanism is referred to as 
universally optimal. An analogous result for risk-averse information consumers was shown in [10j . 

Are these results of [9] and [10] that deal with the simple case of a single count query "acci- 
dental" , or can they be extended to other queries? to multiple queries? One would anticipate that 
universally-optimal mechanisms should exist (at least) for those queries that are closely related to 
counting, such as sum queries where the inputs are non-binary, histograms, and bundles of two or 
more count queries. 

1.1 Our Results and Directions for Future Progress 

In contrast with the anticipation expressed in the previous paragraph, we show that settings in 
which universally optimal mechanisms exist are extremely rare, and, in particular, in both the 
setting of Bayesian and of risk-averse information consumers, universally optimal mechanisms do 
not exist even for sum queries where the inputs are non-binary, histograms, and bundles of two or 
more count queries. 

Moreover, in the case of Bayesian information consumers, we give a characterization of those 
functions of the data that admit universally optimal mechanisms. The characterization makes use 
of a combinatorial structure of the query function / : V n — > TZf, where V is the domain of the 
database records and IZf is the output space of the query function. We define this combinatorial 
structure of the query Gf and call it a privacy constraint graph. The vertices of Gf correspond 
to values in TZf, and edges correspond to pairs of values resulting by applying / to neighboring 
databases. (This graph was examined in some proofs in [11] as well). We show: 

Theorem 14.21 (Informal). IfGf contains a cycle then no universally optimal mechanism exists for 
/• 

Theorem 14.31 (Informal). If Gf is a tree that contains a vertex of degree 3 or more, then no 
universally optimal mechanism exists for f for better values of the privacy parameter. 

Facing the impossibility of universal optimality, an alternative may be found in an approx- 
imate notion, which enables (approximate) optimality to (approximately) all of the information 
consumers. A good notion of approximate optimality should allow constructing such mechanisms 
for sum queries, histograms, and more. Furthermore, it should allow performing several queries 
and satisfy a composition requirement, in a sense that when applying two such mechanisms to two 
different queries, the resulting composed mechanism should be somewhat approximately optimal 
for the two queries together. 
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Finally, we note that, following prior work we focus on oblivious mechanisms (see Section 12.21 
for the technical definition) . In Section El we show that for the intuitive generalizations of count 
queries, enabling non-oblivious universal mechanisms from which optimal oblivious mechanisms are 
derived, still leaves the construction of universally optimal mechanisms impossible. The question 
whether non-oblivious universally-optimal mechanisms exist for some other natural abstract queries, 
from which all oblivious universally-optimal mechanisms may be derived is left open. 

1.2 Related Work 

Most relevant to our work are the papers by Ghosh, Roughgarden, and Sundararajan [9] and by 
Gupte and Sundararajan |10| . Ghosh et al. show that the geometric mechanism (a discrete version 
of the Laplace mechanism of [6]) yields optimal utility for all Bayesian information consumers for a 
count query. Their proof begins by observing that all differentially private mechanisms correspond 
to the feasible region of a Linear Program (a polytope), and that minimizing disutility can be 
expressed as minimizing a linear functional. Hence, every Bayesian information consumer has an 
optimal mechanism corresponding to a vertex of the polytope, which in turn corresponds to a subset 
of the constraints of the Linear Program which are tight (optimal mechanisms, not corresponding to 
the polytope vertices, may also exist). They introduce a constraint matrix that uniquely corresponds 
to a vertex of the polytope, and indicates which constraints are tight, and which are slack on that 
vertex. Those constraint matrices that correspond to optimal mechanisms, are shown to have some 
special structure that allows to derive mechanisms with the same signature (and thus equal) from 
the geometric mechanism using some deterministic remapping on its output. 

We are also interested in observing the tight constraints in some mechanisms. We will not need 
the full description of the structure of such a constraint matrix. Instead we only use the observation 
that tight privacy constraints can be derived only from mechanisms that also obey similar tight 
constraints. 

Gupte and Sundararajan show similar results for the risk- averse utility model, where consumers 
try to minimizes their maximal worst-case disutility. They provide a full characterization of the 
mechanisms which are derivable (by random remapping) from the geometric mechanism and use 
this characterization to construct a universally-optimal mechanism for a count query. An interesting 
feature of the construction is that it releases noisy answers of the query at different privacy levels, 
thus keeping more privacy against specific consumers, and enabling more utility to others. 

Also related to our work is the recent work of Kifer and Lin [11] that studies privacy and utility, 
in a very general setting, from an axiomatic point of view. They introduce a partial order on 
mechanism where mechanism Y is at least as general as mechanism X if X can be derived from 
Y by post processing. They also introduce the concept of maximal generality, which turns to be 
useful in our proofs. 

2 Preliminaries 

2.1 Differential Privacy [6] 

Simply speaking, a mechanism which preserves differential-privacy will output for any two databases 
which 'look alike' the same result, with similar probabilities. More formally, consider databases 
D\,D2 £ T> n which consist of n records out of some domain T>. The Hamming Distance between 
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D\ and D 2 is the number of records on which they differ. We will call databases at distance one 
neighboring. 

Definition 2.1 (Differential Privacy [6]). Let M : T> n — > TZ be a probabilistic mechanism. A4 
preserves a- differential-privacy for a € (0,1) if for any two neighboring databases Di,D 2 £ T> n 
and any (measurable) subset of the mechanism's range S C TZ, 

Pr[M(Di) €S]>a-Pr[M(D 2 )€S]. (1) 

The probability is taken over the coin tosses of the mechanism M. 

Notice that the greater a is the less the mechanism's output depends on the exact query result, 
and so better privacy is attained. 

2.2 Oblivious Mechanisms 

We consider a setting where several information consumers are interested in estimating the value of 
some query /(•) applied to a database D € T> n , and answered by a differentially private mechanism 
Jvi. Ghosh et al. [9] show that if no restriction is put on the mechanism, then no universally optimal 
mechanism exists for count queries (intuitively, universal optimality, defined below, means that all 
potential consumers minimize their loss simultaneously). On the other hand, universally optimal 
mechanisms sometimes do exist if we restrict our mechanisms such that their output distribution 
depends only on the the exact query result (a.k.a. oblivious mechanisms). This is why in [9] (and 
later in |10j ) only oblivious mechanisms are considered^. We follow suit and only consider oblivious 
mechanisms. We show in Subsection 13.2.11 that this restriction does not weaken the basic results 
presented in Section El 

Definition 2.2 (Oblivious Mechanism). Let / : T> n — > TZf be a query. A mechanism M ; D n — > TZ 
is f- oblivious (or simply oblivious) if there exists a randomized function ftA : TZf — > TZ such that, 
for all D E T> n , the distributions induced by A4(D) and Ai(f(D)) are identical. 

Combining a-differential privacy with obliviousness, we get that for every i,i' € TZf which are 
outputs of neighboring databases D,D' (i.e., f(D) = i and f(D') = i'), then Pr[A4(i) € S] > 
a-Vx[M{i') eS] for all S C TZ. 

2.2.1 Oblivious Differentially Private Mechanisms for a Count Query 

An oblivious finite-range mechanism A4 : D n — > TZ estimating / : T> n TZf can be described 
by a row-stochastic matrix X = (xij) of the underlying randomized mapping A4, whose rows are 
indexed by elements of TZf , and whose columns are indexed by elements of TZ, where Xij equals 
the probability of outputting j € TZ when f(D) = i. Since TZ is finite, and information consumers 
anyway remap the outcome of A4, we can assume, wlog, that TZ = {0, 1,2, ... , \TZ\ — 1}. 

We now consider the case where T> = {0, 1} and f(D) counts the number of one entries in D. 
Hence, TZf = {0, . . . , n} and the matrix X is of dimensions (n + 1) x \TZ\. Preserving a-differential 
privacy poses constraints on the transition matrix X beyond row-stochasticity. Note that for the 

impossibility of universal optimality when the mechanisms are not restricted to being oblivious is proved in [9] 
for Bayesian information consumers. For risk-averse consumers, [10] show that non-oblivious mechanisms may be 
replaced with oblivious ones without affecting the consumers' utility for the worse. 
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count query, the query results of two neighboring databases may differ by at most one. Differential 
privacy hence imposes the constrains Xij > a-Xi+ij and Xj+ij > a-Xij where i € 1Zf = {0 . . . n— 1} 
and j € 1Z. Adding row-stochasticity and differential privacy, we get that an oblivious differentially 
private mechanism for the count query should satisfy the following linear constraints: 

Xi tr > axi + i :r \/i € {0, . . . , n — 1}, Mr G 1Z (2) 
axi )r < Xi + i :r \/i G {0, . . . , n — 1}, Vr G 7Z (3) 

^2x i:r = l Vi€{0,...,n} (4) 
Xi, r >0 Mi G {0, . . . ,n},Vr G 1Z (5) 



2.3 Utility Models 

We use the utility models defined in [9j and [ID]. In both, a loss function £(i,r) quantifies an 
information consumer's disutility when she chooses to use answer r while the correct answer is i. 
Given a loss function £{■,■) of an information consumer, if the exact answer is i then her expected 
loss is X^rG7?." E *' r ' ' ^(*> r )o Loss functions vary between consumers, and the only assumptions made 
in [9j [ID] is that l(i,r) depends on i and \i — r\ and is monotonically non-decreasing in \i — r\ for 
all i. (This is a reasonable requirement that turns to be crucial for the existence of a universally 
optimal mechanism [9j.) Examples of loss functions include £i(i,r) = \i — r\ (consumers who care 
to minimize expected mean error); d.2{h r ) = (i — r ) 2 (minimize error variance); and tun(h r ) that 
evaluates to if i = r and to 1 otherwise (minimize number of errors). 

Information consumers differ in their knowledge about the exact f(D). References [9J and |10] 
model this knowledge differently as we now describe. 



Bayesian Model [9] In the Bayesian utility model, an information consumer's knowledge is 
represented by a vector p where pi is the consumer's a priori probability that f(D) = i. Having a 
vector of prior probabilities p and loss function £(■, •), the consumer's expected loss can be expressed 
as ^2iPi ■ ^2 r x i,r -£(i,r). The optimal mechanisms for this information consumer hence are the 
solutions of the linear program in the variables Xi yT consisting the constraints in Equations (E])-([5]) 
and the objective 

minimize pi ■ Xj >r • £(i, r). (6) 
ieKf r£_K 

Risk- Averse Model [10] In the risk-averse utility model an information consumer's knowledge 
restricts the possible values for the exact f(D). This is expressed by a set S C TZf of the pos- 
sible values f(D) can take. The consumer is interested in minimizing her maximal expected loss 
conditioned on f(D) £ S, i.e., maxj G s ^ r Xi >r ■ £{i,r). Similarly to the above, the optimal mech- 
anism for an information consumer is a solution to a linear program consisting the constraints in 
Equations (J2])-([5]) and the objective 

minimize max Xi >r ■ £(i, r). (7) 

2 This is only true if the consumer uses the mechanism X directly, i.e., the consumer leaves the mechanism's output 
as is, and does not apply a post-processing step. The ability to apply such a post-processing step on the mechanism's 
output will be discussed in the next sub-section. 
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2.4 Remapping and Generality 

An information consumer might have access to a private mechanism U which is not tailored specif- 
ically for her needs (i.e., to her prior knowledge and loss function). Yet, she may be able to recover 
a better mechanism for her needs by means of post-processing, which we will denote remapping. To 
intuit remapping, consider a consumer that knows that for the specific database the count query 
cannot yield the answer 0. If that consumer receives a 0, it may be beneficial for her to remap it to 
1. (Recall that the loss function is monotone in \i — r\.) Denoting the given mechanism by U and 
the remapping by T (a row-stochastic linear transformation, T has no access to the information of 
the database other then the output of U), the actual mechanism that is used by the information 
consumer is denoted T o JJ (in matrix form: UT). 

Notice that given a mechanism U with a finite range, an information consumer can find the 
optimal remapping T for her (such that Toll has optimal utility) , by constructing a linear program 
in which T = (£j 3 -) are the program variables |10j . 

Definition 2.3 (Derivable Mechanisms, Generality Partial Order Let X,Y be private mech- 

anisms. We say that a mechanism X is derivable from a mechanism Y if there exists a random 
remapping T of the results of mechanism Y, such that X = T oY . We also say that Y is at least 
as general as X, and denote this relation by X <g Y . If X <g Y and Y X we say that X, Y 
are equivalent. 

Definition 2.4 (Maximal Generality [H]). Let X be an a-differentially private mechanism. X is 
maximally general if for every a-differentially private mechanism Y, if X <g Y then Y <q X. 

After introducing the notion of maximally general mechanisms (for any definition of privacy), 
Kifer et al. fully characterize all maximally general private mechanisms with a finite input space 
in the differential privacy setting. First they introduce the concept of column- graphs^ of a private 
mechanism, which mark the tight privacy constraints in one column of the mechanism X. 

Definition 2.5 (Column graph [H]). Let X be an a-differentially private mechanism with a finite 
input space. Let r be some possible output of X, and x r be its corresponding column in X. Let 
I be the input space of X (corresponding to X's rows). The graph associated with this column 
has I as the set of nodes, and for any i\,i2 € /, there is a directed edge (ii , 82) if h an d ii match 
neighboring databases and Xi 1>r = axi 2 ^ r , and a directed edge (12, h) if x^ r = axi ltr . The direction 
of the edges is only necessary to distinguish between maximally general mechanisms which have 
similar undirected column-graphs, but it will not be essential to the rest of this article. 

Kifer and Lin characterize the maximally general differentially private mechanisms with a finite 
input space: 

Theorem 2.6 f[llj). Fix a privacy parameter a and a database query f with a finite range for 
databases of a specific size. Let X be an a-differentially private mechanism with a finite range. Then 
X is maximally general iff each column graph of X 's columns ( according to the privacy constraints 
implied by f ) is connected. 

This theorem shows that we wish to maximize the set of tight privacy constraints in order to 
make a private mechanism as general as possible. Notice that having just one entry of a column 
in X and the spanning tree of this column's graph (we need to know the direction of the edges as 
well), determines all the entries of this column. 

3 Kifer et al. actually define row graphs and not column graphs. We follow the matrix structure of [9] [10] which is 
simply the transposed matrix of the one used by Kifer et al., hence the difference in terminology. 
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2.5 Universal Mechanisms 



Consider a collection of Bayesian information consumers, and suppose we wish to enable each of the 
information consumers to sample a result from a differentially private mechanism optimizing her 
utility. Ghosh et al. [9] showed that this does not necessarily require executing multiple mechanisms: 
if the query is a count query, then it is possible to construct one universally optimal mechanism U, 
from which all information consumers can simultaneously recover an optimal mechanism for their 
needs by remapping. I.e., every information consumer has an optimal private mechanism which is 
derivable from U. This result is repeated for risk-averse information consumers by Gupte et al. jlO] . 
More formally: 

Theorem 2.7 (Universal optimality, Bayesian consumers [9]). Fix a privacy parameter a £ (0, 1). 
There exists an a- differentially private mechanism U for a single count query, such that for every 
prior p and every monotone loss function £(■,■) there exists a (deterministic) remapping T such 
that Toll implements an optimal oblivious mechanism for p, £(■,■). 

Theorem 2.8 (Universal optimality, risk-averse consumers [10] ) . Fix a privacy parameter a € 
(0, 1). There exists an a -differentially private mechanism U for a single count query, such that for 
every set S of possible outcomes and every monotone loss function £(■ , •) there exists a (probabilistic) 
remapping T such that T o TJ implements an optimal oblivious mechanism for S,£(-, •). 

It turns out that in both theorems U is realized by the geometric mechanism - a variant of the 
mechanism adding Laplace noise of [6j . Note that there may be optimal mechanisms which cannot 
be derived from the geometric mechanism, but for every information consumer there is at least one 
private mechanism that is derivable from the geometric mechanism and is optimal for her. 

3 Impossibility of Universally Optimal Mechanisms for General- 
izations of Count Queries 

When the domain of the database records is {0, 1}, a count query is equivalent to a sum query. 
Theorems 12.71 and 12.81 can hence be thought of as applying to a sum query over the integers, where 
the domain of the database is Binary. It is natural to ask whether the results of these theorems 
can be extended to showing that universally optimal mechanisms exist for sum queries when the 
underlying data is taken from a larger domain such as T> = {0, 1, . . . , m} where m > 2. We answer 
this question negatively. 

Consider the case m = 2. Recall that an oblivious differentially private mechanism can be 
described by a row-stochastic matrix X = (xij), such that Xij is the probability of the mechanism 
to return j when the exact result is i. A difference of the case m = 2 from count queries (m = 1) 
is that applying a sum query to two neighboring databases may yield results which differ by 0, 1, 
or 2 (instead of or 1). Therefore, in the linear program describing mechanism X equations ([2]) 
and ([3j) , should be replaced by the following four constraints (the range for i in the other equations 
should be modified to 0, ... , 2n): 

Xi tr > axi + i tr , axi )r < Xj+i jr Mi G {0, . . . , 2n — 1}, Vr € 1Z 

X%,r > ttXj + 2,r> ax i,r < £j+2,r Vi £ {0, . . . , 2n — 2},W £ 71 

Once again, a consumer's optimal mechanism can be found by solving a linear program with all 
the constraints and the appropriate target function. 
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3.1 The Basic Impossibility Result for Sum Queries 

We first consider the case where the database contains n = 1 record, taking values in {0,1,2} (i.e., 
m = 2). Later, we generalize to n > 1 and m > 2. Note that in the case of n = 1, the non- 
oblivious mechanisms are identical to oblivious mechanisms. We consider non-oblivious universal 
mechanisms as well when generalizing this result lo larger values of n. 

Observation 3.1. In the Bayesian model there exists an information consumer whose only optimal 

1 OL Ot 

and an information consumer whose optimal mechanisms are all 



mechanism is X 



l+2a 



a 1 a 
a a 1 
1 a 



of the form Y = -A— ■ a 1 ° , where q £ let, 11. 

Proof. Consider an information consumer with a prior p = (3,3,3) and a loss function (i.e., 
a penalty of 1 whenever she chooses an answer different from the exact result, and no penalty 
otherwise). It is easy to see that no optimal mechanism for this consumer outputs a value not in 
{0,1,2}. 

The information consumer wishes to minimize 

22 ^2 ^2 ^2 

J2piJ2xi >r ■ £(i,r) = ~J2]}2 Xi > r = 3 X^ 1 ~ Xi ^ = 1 ~ 3 J2 Xi ^- 

i=0 r=0 i=0 r^i i=0 i=0 

And so, the consumer's goal is to maximize Y^=o x i,i subject to maintaining a-differential privacy. 
For i € {0, 1,2}, having a-differential privacy implies 

axi,i<x jti Vj € {0,1,2} \{i}, (8) 

and hence (by summing up Equation (jHJ) for j 7^ i), we get 



2axi ! i = y~]axi t i < y~]xjj. (9) 

3=0 

Summing up Equation ([9]) for i £ {0, 1, 2} we get 



3=0 j=o 

3+i 



1,1 ■ 



2 2 2 2 2 

2aX i,i ^ S S ^ = X^ 1 ~ ^m) = 3 ~ 

i=0 i=0 j=0 i=0 i=0 

and we can now conclude that X^=o x M — 2J+1 ' This inequality is tight iff Equation ([5]) is tight 
(i.e., Xj : i = axi t i) for every i ^ j. In that case, we get the following system of linear equations: 

xn + ax 2 2 + 02:33 = 1 
ax 11 + X22 + 02:33 = 1 
axn + ax 2 2 + x 33 = 1 

Since the three equations are linearly independent, we get a unique solution: x\ t \ = 2:2,2 = 2:3,3 = 
1 

l+2a' 
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A similar proof shows that mechanisms of the form Y are the only mechanisms optimal for 
information consumers with a prior po = Pi = \-,Vi = an d loss function lun- 

It may seem like we restrict ourselves only to information consumers with the Ibin loss function. 
Note that, according to Theorem 12 .6^ there are not so many maximally general mechanisms whose 
range is a subset of {0,1,2}, and some of them are not optimal for any consumer. Therefore, 
the mechanisms described are also the only optimal mechanisms for a variety of other information 
consumers, such as whose prior is po = p\ = 2 , p 2 = and loss function is i\. Also, even more such 
consumers can be found easily in any sequence of consumers which converge to consumers with 
such unique optimal mechanisms (i.e., their priors and loss functions converge to the prior and loss 
function of the consumer we chose). Such information consumers with close priors and close loss 
functions to the ones described above will have the same unique optimal mechanisms. □ 

Observation 3.2. In the risk-averse model there exists an information consumer whose only op- 

and an information consumer whose optimal mechanisms 



timal mechanism is X 



l 

l+2a 



1 a a 

a 1 a 

a a 1 
1 a 



are all of the form Y = -r-)— • a T o , where q € [a, 11. 

J J l+a L q l+a-q oj ' ^ L ' J 

Proof. Consider an information consumer whose loss function is £un who knows the support of 
the query is S = {0, 1, 2}. As in the previous observation, the support of any optimal mechanism 
for this consumer must be a subset of {0, 1,2}. Notice that if the consumer uses the mechanism 
described by A then her maximal expected loss is t J^ a ■ 

Assume for a contradiction that the consumer has another mechanism X' with maximal expected 
loss at most 1 ^ a - I.e., 

////// 2a 
max{x 01 + x 2 ,x 10 + x 12 , x 2 ,0 + x 21 } < — — ^ • (10) 

Since X' ^ X, Equation ()10p implies that x[ j < 1 _ ) ° 2a for some i ^ j. Taking into account that 
X' is a-differentially private we get x'- ■ < — • x\ • < 1+ 1 2q , and hence the maximal expected loss 

is at least x i,j = 1 — x 'j,j > 1 — i+2a = i+2a ' ™ contradiction to the assumption that this 

mechanism is at least as good as X for this information consumer. 

A similar proof shows that mechanisms of the form Y are the only mechanisms optimal for an 
information consumer with auxiliary knowledge of the support S = {0, 1} and loss function lun- 
As in the previous observation, the mechanisms described are also the only optimal mechanisms 
for a variety of other information consumers. □ 

We will now use these two observations to show that in both models no universally optimal 
mechanism U exists. (This is true even if we allow U to have a non-discrete range.) 

Claim 3.3. No a-differentially private mechanism can derive both X and an instance ofY. 

Proof. Assume for a contradiction that such a mechanism U exists, so X and some instance of Y 
are both derivable from U. For simplicity we refer to this instance as Y. By Theorem 12.61 A is a 
maximally general mechanism. Therefore U A, and hence Y -<g X, i.e., there exists a random 
remapping T such that Y = XT. Denote by Xj the j th column of A, and by y^ the k til column of 
Y. We get that 

Vk = t ,k ■ x + ti,fc • xi + t 2 ,k ■ x 2 , Vfc G {0, 1, 2} 
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Note that some a-differentially privacy constraints in Y are tight. Specifically, y\ } o = ayo,o an d 
2/0,1 = a Ui,i- As Y's columns are non-negative linear combinations of X's columns, such a tight 
constraint in a column of Y appears only if this column is a linear combination of columns of X in 
which the same privacy constraints are also tight. Note that the first two entries of every column 
in Y correspond to a tight constraint. But since xo,2 = x i,2 > 0, mapping this column of X by T 
to any column of Y (even with just a positive probability), yields a mechanism with a column in 
which the first two entries do not correspond to a tight constraint. Therefore, a contradiction. □ 



3.2 Generalizing the Impossibility Result for Sum Queries 

So far we have shown the following: if n, the number of records in the database, is 1, and the range 
of values is 0, . . . , m where m = 2, then no universal private mechanism for sum queries yields 
optimal utility for all consumers. Next, we generalize these impossibility results to the case m > 2 
(and n = 1), and later present also the case where n > 1. Hence, we will conclude the following 
theorem: 

Theorem 3.4. No universally optimal mechanism exists for sum queries for databases whose 
records take values in the set {0,1,... , m} where m > 2. This holds both for the Bayesian and 
the risk-averse utility models. 

3.2.1 Generalizing the Sum Query Impossibility Result tom>2 

Consider the case where the database consists of one record, and the possible values in this record 
are to m. Let 
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(11) 



where a < qi < 1 and Y^h=\ Qi = 1 + ( m ~ 1) Q - Similar arguments to those used for the case m = 2 
show that X is the unique optimal mechanism for an information consumer with loss function £^in 
and prior po = p\ = ■ ■ ■ = p m = in the Bayesian utility model and for an information consumer 
with support S = {0, 1, . . . ,m} in the risk-averse utility model. Also, mechanisms of the form Y 
are the only optimal mechanisms for the information consumers with loss function lfo n and prior 
Po = Pi = " " " = Pm—i = P m = in the Bayesian model, and for an information consumer 
with support S = {0, 1, ... ,m — 1} in the risk-averse model. Once again, these mechanisms are 
also the only optimal private mechanisms for a variety of other consumers as well. Using the same 
arguments to those in the proof of Claim 13.31 it follows that X and Y are not derivable from one 
single mechanism. 



3.2.2 Generalizing the Sum Query Impossibility Result to n > 1 

Now consider the case where the number of records in the database is larger than 1. We first prove 
the impossibility of an oblivious universally optimal mechanism. Consider two consumers with loss 
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function lu n - The first consumer believes that the result of the sum query is bounded by m (in the 
Bayesian case, the consumer holds a uniform prior over {0, . . . ,m}). No optimal mechanism for 
this consumer returns values larger than m, so in the mechanism matrix the columns corresponding 
to values greater than m contain zeros. Refer to some optimal mechanism for this consumer as X' . 
Ignoring rows and columns of X' that correspond to values greater than m, the remaining entries 
exactly form the mechanism X of Equation (llip . (Observe that such an extension of mechanism 
X is indeed feasible, as any row which pertains to a value greater than m can be identical to the 
row which pertains to the value m, and so the privacy constraints hold. Such a mechanism is also 
optimal, as the utility is a function of only the rows {0, 1, . . . , m}, due to the consumer's prior, so 
we cannot achieve a better utility than the utility gained by mechanism X). The second consumer 
believes that the query result cannot be larger than m — 1 (in the Bayesian case, the consumer 
holds a uniform prior over {0, . . . , m — 1}). Refer to some optimal mechanism for this consumer as 
Y' . A similar argument shows, that ignoring rows and columns that pertains to values greater than 
m, the remaining entries match the mechanism Y of Equation (jlip . Assume for a contradiction 
that X' and Y' are both derivable from some mechanism U'. Therefore there exist remappings 
T, S such that X' = U'T and Y' = U'S. Let U be the mechanism U' reduced to only the inputs 
{0, 1, . . . , m}. Reducing U' to U, we get that X = UT and Y = US. According to the previous 
subsection these two mechanisms cannot be derived from a single oblivious mechanism, due to the 
same arguments in the proof of Claim 13.31 Thus, a contradiction. 

Now suppose for a contradiction that both the mechanisms are derived from a single non- 
oblivious mechanism U*. This means that C/*'s input space corresponds to databases rather than to 
query results. Suppose there is a remapping T such that X* = U*T. This means that the rows of X* 
correspond to databases as well. We assume that X* is oblivious (as universal optimality was shown 
not to exist even for count queries when consumers choose non-oblivious optimal mechanisms [9]). 
Therefore, applying U* on two databases with the same query result and then applying T on U*'s 
output, yields identical rows in X* (which is described as a single row in the oblivious matrix X 
above). Note that although X* 7 s input and output spaces are discrete (and so we can refer to 
X* as a matrix), we assume nothing on U*'a outputs and T"s inputs. Reducing U* to an input 
space of only m + 1 databases with different query results and applying the remapping T on this 
reduced mechanism's output, yields mechanism X completely. Similarly, applying some remapping 
S on the same reduced mechanism yields mechanism Y . Now reduce U* to inputs which are 
the databases (0,0,..., 0, q) where q is any possible record value. Refer to this mechanism as U . 
According to the assumptions, we get that X = UT, Y = US. Also note that every two possible 
inputs of U are neighboring databases, and so U must satisfy privacy constraints as any oblivious 
mechanism. Therefore, we get a simple reduction to the case of an oblivious mechanism U, and the 
same impossibility result applies also to the case of non-oblivious universal mechanisrrfl. Thus, we 
conclude Theorem 13.41 

3.3 Impossibility of Universally Optimal Mechanisms for Histogram Queries 

The previous subsection shows that no universally optimal mechanisms exist for sum queries. In 
this and the following sections we consider other generalizations of count queries. One natural 
generalization is to histogram queries, and another is to bundles of simultaneous count queries. We 

4 Actually, this also shows that enabling universal non-oblivious mechanisms cannot resolve such impossibility 
for every query whenever there are 3 (or more) values which are the exact query results of 3 different neighboring 
databases. 
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begin with histogram queries. Note that a count query may be thought of as a histogram query 
where the database records are partitioned into two categories: those which satisfy a predicate, 
and those which do not. Consider now a histogram query which partitions the database records 
into three categories or more. 

Theorem 3.5. No universally optimal mechanism exists for histogram queries, except for his- 
tograms for one predicate and its complement or trivial predicates. This holds both for the Bayesian 
and the risk-averse utility models. 

Proof. Once again, consider first the case where there is only one record in the database, and 
the query is for a histogram which partitions the possible records into three categories. The only 
possible results for such a query are (1, 0, 0), (0, 1, 0) and (0, 0, 1). Notice that all these histograms 
result from neighboring databases. Now consider information consumers whose loss function is 
either or i\ (in the case of a histogram over one record they both result with if the output 
matches the exact result and a constant otherwise). Refer to the first possible result as 0, the 
second possible result as 1, and the third possible result as 2. Notice now that we have exactly the 
same constraints for valid mechanisms as we had for the sum query with just one record. Also, the 
utility expression for each of the consumers is the same. The problem of universally optimizing the 
utility for all l^n information consumers (or i\ consumers) is now reduced to the same problem for 
sum queries. According to Subsection 13. \\ universally optimizing the utility for all such consumers 
is impossible, and so it is impossible to construct a mechanism for this specific case as well. 

We now generalize this result for histograms over larger databases and partitions of any number 
of categories larger than 2. First, consider the case of querying one record for a histogram of c > 3 
categories. This can easily be reduced to problems we have already answered negatively. One way 
is to notice that as in the case where c = 3 (in which we reduced this problem to the problem of sum 
queries where the records' values bound is m = 2), larger values of c can easily be reduced to sum 
queries with larger bounds on the records' values m. For every number of c partitions, there are 
exactly c possible results for the histogram over one record. They are all the results of neighboring 
databases. Refer to these results as 0, 1, 2, . . . , c — 1. Again, this is exactly like constructing a 
universally optimal mechanism for sum queries over one record, in which the bound on its values 
is m = c— 1. This is impossible as was shown in Subsection 13.2.11 Another way to be convinced is 
to refer to the partitions as Ai, A2, ■ ■ ■ , A c . Now consider only consumers whose loss functions are 
depend on the number of records in A\,A2, (A3 U A4 U . . . U A c ) . These loss functions are monotone. 
This reduces the current problem to the problem of histograms over a partition of only 3 categories, 
to which we already proved negative results. 

We now generalize this result further to any size of the database. The same argument that was 
applied in Subsection 13.2.21 for sum queries, applies here as well (even for the case of non-oblivious 
universal mechanisms). Consider only consumers with a prior such that all records except perhaps 
one fall into one specific category of the histogram. Querying for a histogram on such a database 
reduces to the result of the same histogram over one record only. Even if we consider only these 
consumers, we know that no one single mechanism can optimize their utilities over all possible 
mechanisms. Since there is no such mechanism that optimizes these consumers' utilities, there is 
obviously no mechanism that yields optimized results for all possible consumers. Therefore, even 
for larger databases, there is no universally optimal private mechanism for histogram queries. □ 
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3.4 Impossibility of Universally Optimal Mechanisms for Bundles of Count 
Queries 

We now consider the generalization of single count queries to a bundle of count queries, where a 
bundle contains several simple (non trivial) count queries that need to be answered simultaneously. 
Note that a consumer's disutility for a bundle query need not be the sum of the losses for the separate 
basic queries - it may be a more involved function of the bundle outputs. For instance, a consumer 
with the ibin loss function has no loss if all the results he uses are correct, and has one unit of loss 
if one or more of the results he uses are incorrect, no matter how many. Furthermore, information 
consumers may have auxiliary knowledge about the dependency between bundle outputs. 

Theorem 3.6. No universally optimal mechanism exists for bundles of more than one simultaneous 
non-trivial count queries. This holds both for the Bayesian and the risk-averse utility models. 

Proof. Such a generalization of count queries proves to be no different than the other intuitive gen- 
eralizations we have already discussed. Note that two simultaneous non-trivial different predicates 
actually partition the records domain into 4 categories: those which satisfy both predicates, those 
which satisfy none of them, and those which satisfy just the first or just the second. If the predicates 
are somehow related, then the predicates might partition the domain into only 3 categories. This 
may happen in various cases, namely if one of the predicates is a subset of the other, if no record 
can possibly satisfy both of the predicates, or if any possible record must satisfy at least one of the 
predicates. Either way, there are always three different outputs for such bundles which result from 
three neighboring databases. (This is of course true also if the bundle consists of more than two 
simultaneous count queries). Once more, consider two different information consumers. The first 
has the tun loss function and a uniform prior over these three outputs (Resp. in the risk-averse 
model, her support is the set of these three outputs). The second consumer also uses the iun loss 
function and has a uniform prior over two of these outputs. (Resp. in the risk-averse model, her 
support is a set of two of these three outputs). Name these different outputs 0, 1 and 2. As in 
the previous subsection, the problem of universally optimizing the utility for all l\,in information 
consumers is now reduced to the same problem presented in Subsection 13.11 . (The constraints for 
valid mechanisms are the same, and the utility expression for each of the consumers is the same). 
The only optimal mechanisms for the chosen information consumers are the same as those in Ob- 
servations 13.11 and 13.21 According to Claim 13.31 such mechanisms are not derivable from any single 
private mechanism, and so universally optimizing the utility for all such consumers is impossible in 
the queries bundles as well. 

□ 

4 A Characterization of Universal Optimality in the Bayesian Set- 
ting 

We now discuss a more general setting, where a query (not necessarily related to sum or count) is 
answered by a differentially private mechanism in the Bayesian utility model. We follow other works 
on this subject and only consider oblivious private mechanisms. Note that although our results 
do not exclude the possibility of non-oblivious differentially private mechanisms, our techniques 
yield that no such non-oblivious universally optimal mechanisms exist for many natural functions. 
Specifically, enabling universal non-oblivious mechanisms cannot resolve such impossibilities for 
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a query whenever there are 3 (or more) values which are the exact query results of 3 different 
neighboring databases. This is due to the same argument that was used in Subsection 13.2.21 

Let the database records be taken from a discrete domain T> and let the query be / : T> n — > TZf 
(wlog, we will assume that / is a surjective function, in which case TZf = {f(D) : D 6 T> n } is 
also a discrete set). Define the following graph where edges correspond to answers / may give 
on neighboring databases (and hence to restrictions on output distributions implied by differential 
privacy) : 

Definition 4.1 (Privacy Constraint Graph). Fix a query / : T> n — > TZf. The Privacy Constraint 
Graph for / is the undirected graph Gf = (V,E) where V = TZf is the set of all possible query re- 
sults and E = {(/(Di), /(D2)) : -Di, -D2 £ T> n are neighboring}. The degree of the constraint graph, 
A(Gf), is the maximum over its vertices' degrees. For 22^2 £ Hf, Gf induces a distance metric 
dGf(h,i2) that equals the length of the shortest path in Gf from i\ to i<i- 

Observe that the constraint graph is connected for any query /: If i\ = f{D\) and ^2 = /(-D2) 
then there is a sequence of neighboring databases starting with D\ and ending in D2, and hence a 
path from i\ to %i in Gf. 

Recall that the results of j9j [10] are restricted to loss functions £(i, r) that are monotonically 
non decreasing in the metric \i — r\. In our more general setting, we avoid interpreting outcome 
of / as points of a specific metric space, and hence we only consider the lun loss function, which 
would remain monotone under any imposed metric. 

Outline of this Section. We are now ready to describe the results of this section. Let / be a 
query, and Gf its constraint graph. We first show that if Gf is a single cycle, then no universally 
optimal mechanism exists for /. This impossibility result is then extended to the case where Gf 
contains a cycle. 

Theorem 4.2. Fix a query f : T> n — )■ TZf , and let Gf be its constraint graph. Consider Bayesian 
information consumers with loss function tun- If Gf contains a cycle then no universally optimal 
mechanism exists for these consumers. 

Constraint graphs of sum queries (for m > 2), histograms and bundles of queries all have cycles 
of length 3, so, in the Bayesian utility model, Theorem 14.21 generalizes all our previous results. 

Next, we consider the case where Gf is a tree and show that if Gf contains a vertex of degree 
3 or higher, then no a-differentially private universally optimal mechanism exists for / for a > 
l/(A(Gf) — 1). (Recall that the closer a is to one, the better privacy we get.) 

Theorem 4.3. Fix a query f : T> n —>TZf, and let Gf be its constraint graph. Consider Bayesian 
information consumers with loss function iu n - If the privacy parameter a > 1/(A(G/) — 1) then 
no universally optimal mechanism exists for these consumers. 

We can conclude from theorems 14.21 and 14.31 that for a > 0.5, the only functions / for which 
universally optimal mechanisms exist are those where Gf is a simple chain, as is the case for the 
count query. 

The proof structure is similar to the one presented in the previous section for sum queries. We 
begin with the case where Gf is a simple cycle. We consider two consumers with different priors and 
loss function Ibin, and show that the optimal mechanisms for these consumers must have specific 
structures (in the sense that some privacy constraints are satisfied tightly). Once again, we show 



14 



that for two mechanisms with such structures, there is no mechanism which is at least as general 
as these two (i.e., there is no single mechanism which derives both of them). 

Next, we extend the proof to the case where Gf contains a cycle. We focus on a cycle in Gf of 
smallest size m, and consider two information consumers. The consumers are similar to those for 
the case where Gf is a cycle, and so are the optimal mechanisms for them, except that we need 
to prove that these optimal mechanisms can be extended in a differentially private manner to the 
entire range of /. For that we introduce a labeling of Gf in which the labels of adjacent vertices 
differ by at most one modulo m. 

Last, we discuss the case where Gf is a tree containing a vertex of degree at least 3. Focusing 
on that vertex and three of its adjacent vertices, we present three consumers with different priors. 
Again, we focus on the corresponding entries in the matrices of their optimal mechanisms, and 
find which constraints must be tight. Assuming all three mechanisms are derived from a single 
mechanism U, we present three different partitions of U's range according to which constraints are 
tight for every measurable subset of U's range. Combining the attributes from these partitions, we 
get one elaborated partition of U's range. We can then assume U's range is finite and reveal the 
structure of its matrix columns. Such a structure of U's columns (for the consumers we chose) is 
feasible iff we compromise for a privacy parameter a < 0.5. Finally, we generalize this claim to any 
degree of one vertex. 



4.1 The Basic Case: Gf is a Cycle 

We begin with the simple case where Gf is a single cycle of m > 2 vertices^- 

Claim 4.4. If the constraint graph Gf of f : T> n — )■ TZf is a single cycle, then no universally optimal 
mechanism for Bayesian information consumers exists for f . 

Proof. Assume Gf is the cycle C m = (vq, v±, . . . , u m _i, i>o). We already proved impossibility of 
universal optimality for the case m = 3 in Claim [3731 We now deal with the case m > 3. As in the 
proof of Claim 13.31 we will present two information consumers, and their corresponding optimal 
mechanisms, and prove that these cannot be derived from a single mechanism. 

We first consider an information consumer with loss function and prior p VQ = p Vl = • • • = 
Pv m -i = l/ m 5 an d construct the unique optimal mechanism X for this consumer. (X is represented 
by an m x m matrix since with the £bi n loss function the support of the optimal mechanism's range 
must match the support of the consumer's prior.) An optimal mechanism minimizes 

y 1 Pvi y ] x v it r " ^bin{ v ii r ) = ^ ] Pvt " (1 — x Vi,Vi) = 1 ^ ] x Vi,Vii 

and hence, the consumer's goal is to maximize XVeC x Vi,vi subject to maintaining a-differential 
privacy. Maintaining a-differential privacy implies 

a dG f {Vi ' Vj) x Vi , Vi < x Vj , Vi y Vl , Vj G C m , (12) 
and hence, by summing up the inequalities for all Vi,Vj, we get 

^2 a j ^ x Vi,vi < ^2 ^2 x vj,Vi = ^2 ^ ~ Xv t> v i = 171 ~ ^2 Xv i' v i> 

5 An example query that yields such a graph is / : {0, l} n — > [m] defined as f(dt, . . . , d n ) = X^i=i mod m. If 
n > m > 2 then Gf is a cycle of size m. 
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and we conclude that 



X Vi,Vi — 



111 



1 + E^ec m « G f 



dG f {vi,Vj) 



0l dG }( v% ' v i>x ViiVi ) for every vi / Vj € 



This inequality is tight iff Equation (|12p is tight (i.e., sc«-,« 
C m . In such a case, we can find the mechanism's entries by solving a system of m linear equations 
(the sum of each row in the mechanism must be 1), in a similar argument to the one presented in 
the proof of Observation 13.11 Since these are m independent linear equations in m variables, our 
optimal solution for x VltVl , . . . , x VmtVm is unique. 

Utilizing the symmetry of the equations, we get that every row of X is a cyclic shift of: 



5 ■ (1, a 1 , a 2 , ... , a (m-l)/2 f a (m^l)/ 2) a(TO -l)/2-l f 
<5 • ( 1 , a 1 , a 2 , . . . , a™/ 2 - 1 , a" 1 / 2 , a" 1 / 2 " 1 , . . . , a 2 , a 1 ) 



a 2 a 1 "! 



if m is odd, (13) 
if m is even. 



where 5 is chosen such that X is row-stochastic. The mechanism X satisfies a-differential privacy, 
it is optimal for our information consumer, and it is unique. 

Our second information consumer uses lun as her loss function, and prior p VQ = p Vl = p V2 = 1/3 
and p V3 = • • • = p Vm _ 1 = 0. Note that since m > 3 the vertices vo,V2 are not adjacent in Gf (so 
d,Gf(vo,V2) =2). In constructing an optimal mechanism Y for the information consumer we will 
only consider the rows and columns pertaining to vertices vq,V\,V2, noting that the columns for 
all other vertices contain only zeros, and there is some freedom with respect to the rows for the 
other vertices. Applying similar arguments as for mechanism X, we get that the columns of Y 
are of the forms (1, a 1 , a 2 ) T , (a 1 , 1, a 1 ) 7 ", (a 2 , a 1 , 1) T (each of the columns may be multiplied by a 
different coefficient). By forcing row stochasticity, we can solve the following equations to get the 
coefficients: 

and we get a unique structure on the entries of these rows and columns of Y. This mechanism is 
of no surprise, as these entries are merely the finite-range version of the geometric mechanism (as 
shown in [9]). 

Summarizing our findings, we get that 
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We now show that instances of such mechanisms X and Y are not derivable from a single 
mechanism. Since the conditions stated for these mechanisms are necessary for them to be optimal 
for the two consumers we chose, this will prove that there is no universally optimal mechanism in 
such a scenario. 

Suppose, towards a contradiction, that there exists a mechanism U which derives both X and 
some instance of Y. According to the characterization of generally maximal differentially private 
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mechanisms (Theorem 12. 6p . X is maximally general. Therefore, we get that U is derivable from 
X and so Y is derivable from X as well. Therefore, there exists a remapping matrix T such that 
Y = XT. Remember that Y's columns are linear combinations of X's columns with non-negative 
coefficients, as described in the proof of Claim [3T31 Any tight constraint met in one of y's columns 
must match the same tight constraints in all of X's columns which appear in the linear combination 
of that column. Once again, any specific column of X must appear in at least one linear combination 
of one of Y's columns with a positive coefficient (as any possible output of X must be remapped 
to the values {^0,^1,^2} by T). Notice that one of X's columns is 

S ■ (a^l\a^l\a^l 2 -\. . . , 1, . . . , a^- l ^ 2 ~ l ) T if m is odd, 

5 ■ {a m ' 2 - 1 , a^V™/ 2 - 1 a m l 2 ~ 2 ) T if m is even, 

Mapping this column into any of Y's first three columns (with any positive probability) cannot yield 
the tight constraints which appear in the first three entries of the chosen column in Y. Therefore, 
no such remapping T is feasible and we get a contradiction. 

□ 

4.2 Impossibility of Universal Optimality When Gf Contains a Cycle 

We now give a proof for Theorem 14.21 which deals with the case where Gf contains a cycle. 

Proof. Let C m = (vq,v±, . . . ,v m -i,vo) be a cycle of smallest size in Gf. Based on C m , we will 
consider two consumers whose optimal mechanisms contain as sub-matrices the matrices X, Y 
from the proof of Claim l4~4l and hence they cannot be derived from a single mechanism. 

The First Consumer: uniform prior over C m Consider an information consumer with loss 
function lb in and prior p VQ = p Vl = ■ ■ ■ = p Vm _ x = 1/m and p u = for every u ^ C m . We will 
construct an optimal mechanism X' for this consumer, and will prove that (in some sense) it is 
unique. We begin with a labeling algorithm of the vertices in G: 

1. Given C m = (vo,vi, . . . ,v m -i,v ), set l(vi) = i for i E {0, . . . ,m — 1}. 

2. For s from 1 to m — 1: 

(a) Let V, be the set of unlabeled vertices that are adjacent to vertices labeled s — 1. 

(b) Let l(u) = s for all u € V s . 

3. Let l{u) = m — l for all remaining vertices u. 

Claim 4.5. After applying the above algorithm, the labels for every two adjacent vertices differ by 
at most 1 (modulo m). 

Proof. We show that at any stage of the labeling, any two adjacent vertices satisfy the requirement 
that their labels differ by at most 1 (modulo m). 

Note first that this holds for all labeled vertices after Step [TJ Consider a vertex u € V s (i.e., 
l(u) = s is set in iteration s), and an adjacent vertex u' that is labeled l(u') = s' prior to or on 
iteration s. Clearly, if u' € V s U V s -\ then s' € {s — 1, s} and the statement holds for (u,u'). 
Otherwise, we consider two sub-cases. In the first, l{u') = s' < s — 1, and we are led to a 
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contradiction since u remains unlabeled after iteration s' + 1 whereas by definition u S V s i + \. In 
the second sub-case l{u') = s' > s + 1 (if s' = s + 1 the claim holds) and hence it must have been 
that v! was labeled in StepQJ i-e., v! = v s ' for s' G {s + 1, . . . , m — 1}. Following the path of labels 
which led to the label of u we can get to the vertex vq via a path of length s. Noting that this path 
is disjoint from the length m — s' path v s i ^«o = v s i,v s i + i, . . . ,v m -i,vo, we get that G contains 
the cycle v s > v$ ~^ u ~» v! that is of length m — s' + s + 1 < m, in contradiction to C m being the 
smallest cycle in G. To conclude the proof, note that every vertex u G G adjacent to some v! E G 
such that l(u') E {0, 1, ... ,m — 2} has been labeled in iteration l(u') + 1 or earlier. Therefore in 
Step El the vertices which are not labeled yet are adjacent only to unlabeled vertices and to vertices 
with label m — 1. Labeling the remaining vertices with m — 1 satisfies the requirement. □ 

We now use the graph labels to construct an optimal mechanism X' , represented by a matrix 
of dimensions \7Zf | x \TZf\. The entries of rows u £ C m have no effect on the expected loss of this 
consumer, as p u = 0. There are, however, restrictions on these rows, as the mechanism X' must be 
differentially private. We construct X' as follows: 

1. For all u £ C m , set column u of X' to be a column of zeros. 

2. For all u £ C m , set row u of X' as in the optimal mechanism X described in the proof of 
Claim 03] (i.e., Equation (Till)). 

3. For all u ^ C m , set row u of X' to be identical to the row corresponding with the vertex 
identically labeled in C m . 

Clearly, the resulting mechanism is row-stochastic. The privacy constraints also hold: suppose 
u, u' € TZf are query results of neighboring databases. Therefore, they are adjacent in the constraint 
graph, and their labels differ by at most 1 (modulo m). And so, their matching rows in mechanism 
X' are either identical or they are the same as rows of two adjacent vertices Vi,Vj G C m in mechanism 
X. Since the construction of rows in X hold to the privacy constraints, so do the rows of X' . In 
other words, we just showed that mechanism X can be extended to any query / whose constraint 
graph Gf contains C m but no smaller cycles. 

Notice that only rows of C m affect the expected loss in X' , which is hence identical to that 
of X. Since any mechanism in this scenario has to satisfy all the restrictions for just the vertices 
of the cycle C m , and more, the expected loss for any optimal mechanism in the current scenario 
is lower bounded with that of X. Hence, we can conclude that X' is optimal for the information 
consumer, and furthermore, X' restricted to the rows corresponding to C m is unique. 

The Second Consumer: uniform prior over Vq, v±,V2 Consider an information consumer 
with loss function and prior p VQ = p Vl = p V2 = 1/3 and p u = for every other u G TZf. We 
argue that every optimal mechanism Y' for this consumer has the same structure on rows vq,v\, V2 
as mechanism Y in Equation (|14p . As the impossibility of universal optimality for the case of m = 3 
was already covered, and we assumed m > 3, vq and v% are not adjacent in Gf. This enables us 
to label the vertices in such a way: 1(vq) = 0, £(1*2) = 2 and l(u) = 1 for any other vertex in Gf. 
Again, it is clear that every two adjacent vertices have labels which differ by 1 at most. Similar 
arguments as the ones presented for the first consumer, show that the first three rows of every 
optimal mechanism for this consumer (i.e. the rows for Vo, 1)1,1)2) have the same structure as the 
first three rows of mechanism Y in Equation (|14p . 
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Assume towards a contradiction that both X' and Y' are derivable from a single mechanism U'. 
Therefore there exist remappings T, S such that X' = U'T and Y' = U'S. Let U be the mechanism 
U' reduced to only the inputs of the cycle C m = {vq, v\, . . . , v m -i}. Reducing U' to U, we get that 
X = UT and Y = US. According to the previous subsection these two mechanisms cannot be 
derived from a single oblivious mechanism, due to the same arguments in the proof of Claim 13.31 
Thus, we get a contradiction. 

□ 

4.3 Impossibility of Universal Optimality When A(Gf) > 3 

We now focus on acyclic constraint graphs and prove Theorem 14.31 and its conclusion that for 
a > 0.5 no universally optimal mechanisms exists unless the constraint graph is a simple chain. 

Proof. For simplicity of this proof, we first focus only on 3 neighbors of a specific vertex, and 
prove that no universally optimal mechanism exists for a > 1/(3 — 1) = 0.5. Later, we generalize 
this result for a vertex of any degree by taking into account all of the vertex's neighbors. The 
generalization is done using the same methods we use to prove the simpler case. 

Let vq be a vertex in Gf with a degree greater than 2. Let v\,V2,V3 be 3 of its neighbors. We 
choose some consumers with loss function i^in an d zero a priori probability for all values other than 
^0)^15^2)^3- We define some necessary conditions on the optimal mechanisms of these consumers 
and show it is impossible to simultaneously derive optimal mechanisms for these consumers from a 
single mechanism U (when a > 0.5). 

Note that by the tree structure of Gf, every mechanism that satisfies the requirements of 
differential privacy on query results vo, v±, V2, i>3 can be easily extended to a differentially private 
mechanism on all results of 1Z$. Furthermore, since our consumers have zero a priori probability 
for all other values, the entries in rows corresponding to values other than vq, vi,V2,v^ do not affect 
the consumers' expected loss. Hence, it suffices to show the impossibility result for the case where 
Gf is restricted to vq, ^1,^2)^30 

Consider first an information consumer with prior p VQ = p Vl = p V2 = 1/3, p V3 = 0. note that 
^1)^0)^2 is a simple path of length 3 in Gf for which the optimal mechanism was described in 
Section 14. 1[ Any optimal mechanism for this consumer is of the form 

Co ci • a C2 ■ a 
Y _ Co ■ a c\ C2 ■ a 2 
Co • a c\ ■ a 2 C2 
Qo Qi <?2 0_ 

where Qo + <?i + 92 = 1 and they are subject to some privacy constraints. The restrictions on the 
optimal mechanism for this consumer are the same as those on mechanism Y in Equation (|14p . 
only now vq is the vertex in the middle, so the first two rows were swapped, as were the first two 
columns. 

6 One possible extension is as follows: Suppose X is a mechanism from {vo,Vi,V2,vs} to {vo, wi, 1)2, V3}. Label 
each of the vertices Vo,Vi,V2,i>3 by l(vi) = i, then label every other vertex in the graph with the same label as its 
nearest labeled vertex. Construct a mechanism X' from X like this: Set x' VilV . = x VitVj for every i,j £ {0,1,2,3}. 
Set x' v . <u = for every u <£_ {^o, vi, V2, v^}. For every u £ {«o, wi, ^2, W3}, set the row of u to be the same as the row 

Of «((„)• 

7 An example query that yields such a graph is / : {1, 2, 3} n — > {0, 1, 2, 3} defined as f(D) = i if all records in D 
equal i, otherwise. 
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Suppose that such a mechanism was derived from a universal mechanism U by some remapping 
T. Suppose for now that U's range is discrete and so it can be expressed in matrix form. (We abuse 
a little the notion of a matrix and allow U to have infinitely many columns, and T to have infinitely 
many rows, if needed). As noted before, this means that Y's columns are linear combinations with 
positive coefficients of columns in U. Also, remember that since the coefficients are non-negative, 
linearly combining columns which do not hold tight privacy constraints, cannot yield a column 
with tight constraints. Since T is row-stochastic, every row of T has at least one positive entry. 
This means that every column in U is remapped (with some positive probability) to a column in 
Y. Assume U does not have zero columns (otherwise we could just ignore them as they pertain to 
results which are not in C/'s range). Prom the reasons above and the the structure of constraints 
in Y which are tight, we conclude that all of fj's columns can be partitioned into columns of the 
forms: 8\ ■ (1, a, a, *) T , 82 ■ (a, 1, a 2 , *) T ', £3 • (a, a 2 , 1, *) T . The first set of columns is summed by T 
into the first column of Y, The second set is summed by T into the second column of Y, and the 
third set is summed to the third column of Y. The * can take infinitely many values as it does not 
necessarily match to a tight constraint in Y. 

Considering now an information consumer with a prior p VQ = p Vl = p Ui = 1/3, p V2 = 0, and 
applying the same arguments, we have that the non-zero columns of the universal mechanism 
U are partitioned into columns of the forms 8\ ■ (1, a, *, a) , 82 • {a, 1, *, a 2 ) T , 8s • (a, a 2 , *, 1) T . 
Similarly, considering a consumer with a prior p VQ = p V2 = p V3 = 1/3, p Vl = 0, we have that 
the non-zero columns of the universal mechanism U are partitioned into columns of the forms 
61 ■ (1, *, a, a) T ,8 2 ■ {a, *, 1, a 2 ) T , 83 ■ {a, *, a 2 , l) T . 

Notice that every non-zero column in U must match one category in each of the partitions 
described above. Combining these conditions together, we have that the non-zero columns of U 
are partitioned into columns of the forms 71 • (1, a, a, a) T , 72 • (a, 1, a 2 , a 2 ) T , 73 • (a, a 2 , 1, a 2 ) T , 74 • 
(a, a 2 , a 2 , 1) T . As the columns in every category are proportional to one another, we assume that 
the mechanism U has exactly one column in each of these categories. We can assume that, since 
if U' is a mechanism with two non-zero columns which are proportional to one another, we can 
produce a mechanism U by replacing these columns with a single column containing their sum. 
Then U is derivable from U', and vice versa. Therefore these mechanisms are equivalent. 

Note that we assumed J7's range is discrete only for convenience. C/'s range can be continuous 
as well, as explained by Kifer and Lin [11]. Define T's inverse to be for every vertex v, T~(v) = 
{o' G Rng(U) : Pr[T(o') = v] > 0}. The same arguments from before hold, and we get that for 
every measurable O' C T~(v), and any adjacent vertices Vi,Vj, [rot/fa- )=u ] = Pr[i^-)gO'] ' unless 
one of the probabilities is zero in which case all the probabilities are zero due to differential privacy 
constraints. This is because we assume p^ro^" 1 )— ■»] ^ s tight by differential privacy constraints, 
and it can be expressed as a positive combination over measurable sets in T~(v) which, therefore, 
must be tight as well. And so, the same structure of tight constraints as they appear in the derived 
mechanism, must appear also for every measurable subset of T~(v) for every v in the derived 
mechanism's output. 

We conclude that a universal mechanism must be of the form: 

Co ci • a C2 ■ a C3 • a 

jj _ cq ■ a c\ C2 ■ a 2 C3 • a 2 

Co • a ci • a 2 C2 C3 • a 2 

cq • a c\ ■ a 2 C2 ■ a 2 C3 
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The privacy and non-negativity constraints hold if q > for every i. Imposing row-stochasticity, 
we can solve for the coefficients and get the unique solution: c\ = C2 = C3 = I /(a + l),co = 
(1 — 2a) I [a + 1). Mechanism U is only feasible if cq > 0, or equivalently a < 0.5. 

Note that, so far, we used only three of the vertices adjacent to v$. Suppose vq has k > 3 
neighbors. We actually can achieve stronger results by treating more consumers, each with a prior 
of uniform probability over only three vertices (one of which is vq). Using the same arguments, and 
combining the partitions imposed by each of the consumers on TPs columns, we get that {7's positive 
columns are partitioned into columns of the forms: 70 • (1, a, a, ... , a) T , 71 • (a, 1, a 2 , ... , a 2 ) T , 72 • 
(a, a 2 , 1, ... , a 2 ) T , . . . , 7^. • (a, a 2 , a 2 , . . . , 1) T . Thus, a universal mechanism for all these consumers 
must have the structure: 



U 



Co ci • a 
Cq ■ a C\ 
cq • a c\ • a 2 



C2 ■ a 
C2 ■ a 2 

C2 



cq • a ex • or C2 ■ cr 



c fc • a 2 
c k ■ a 2 



Cfc 



Imposing row-stochasticity, we can solve for the coefficients and get the unique solution: c, = 
l/(a + 1) for every i > and co = (1 — (k — l)a)/(a + 1). Mechanism £7 is only feasible if Co > 0, 
or equivalently a < l/(k — 1). 

□ 
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